REST API Authorization

[queza85]

Hi

I am trying to use social api like below capture.

So I found the way how to use authorization based on old document(new document has no information).
I tried same way to generate authorization value

But I have issue to autholization.

Can I get any advise to call this api?

[queza85]

Sorry one more question that I add user via 'csv file' in user management screen.
it shows like this error too.

the sample is from your example. but what is the meaning key value?

[queza85]

Hi @rdenarie
Can I get any help or document for this?

[rdenarie]

Hello,

About API access, the url to use basic authentication is /rest/private/xxx instead of /portal/rest/xxx
So in your case, you should access to
/rest/private/v1/social/users

In postman, in authentication tab, you can choose authentication method, for example BASIC, and then fill username and password. Postman will encode it directly, no need to encode it manually :

About import by CSV :
The csv format must be

userName,firstName,lastName,password,email
john,John,Smith,Password1234,[email protected]

• userName instead of login
• key must be removed
• check that separator is ',' and not ';'

[queza85]

@rdenarie thanks for your inform.

If we develop java base, is this still working from your old document?

In my case, we connected with Keycloak. so we use our own users. but the root is not existed.
So can we use another certain user like capture? or have to use only root account?

[rdenarie]

In fact, root user still exists, but only on eXo side. He is not in your keycloack user database, but as he exists in eXo, he can connect.

The basic method still work, but only when using url like /rest/private/... instead of /portal/rest/...

To use API with a keycloack user, you will not be able to use basic authentication. You will have to simulate the complete login phase :
Access to the same url as when the user click on the keycloak button on login page
Make the authentication
Follow the redirect, and get the JSESSION_ID cookie
Then use the cookie to make the API call

[queza85]

Do you mean, I can use root user even I turn on SSO?
Actually, I'm okay any user if we can use the Rest API.

So, when I try this to use our root account which can be login without SSO
It is shown like this error from exo server.

<Call 'rest/private/v1/social/users', it's working without SSO config>

<Response: Unauthorized error>

=> Does it need to install something? before I setup SSO via SAML, I added package based on document.

[rdenarie]

I'm sorry, I mix different contexts.
I though you use OpenId.
In this case, user only in eXo like root can connect.

With SAML, user must exists in the Identity Provider, so root cannot connect.

[queza85]

any user is okay? or it has some permission to access RESTAPI?
I just tried to use certain account has MEMBER role.
But same like above issue.

[rdenarie]

It depends of API.
For example, the one to get users list is accessible to all users.

In fact, you speak about role MEMBER. Can you explain what do you mean for this role ?

When you log in eXo, an go in users and groups administration, you can groups :

• /platform/administrators
• /platform/users
• ...

For each group, users are associated with a role :

• manager
• member
• ...

So a permission is an association between a role and a group :

• member:/platform/users
• manager:/platform/administrators

To access to /v1/social/users, the user must be in the group /platform/users, neverming his role.
Can you ensure that, when logging in the platform, the user you use is present in this group ?

I just tried to use certain account has MEMBER role.

Can you explain what you tried ?

[queza85]

I would like to retrieve user list and save user also.
So I would like to use GET /v1/social/users and POST /v1/social/user.

I tested based on your guide like capture.
I added test account to group for admin and user.
That is home screen after login keycloak.

==>successfully keycloak login as a admin group

==>fail to call api even use certain admin group account

==>exo log when I call api, NoClassDefFoundError

Please, advise for this. thanks

[rdenarie]

In fact, the BASIC authentication will not work with SAML authentication.

You will need to make 2 requests (at least) : one for the login, and get the result JSESSIONID cookie, and the second for the api call, using the cookie.

[queza85]

Ah.. I see.
So if I follow previous your guide for login, I can use only click by user?
I would like to make it automatically call the rest api. but it looks impossible if user has to click login page directly...

"Access to the same url as when the user click on the keycloak button on login page"
Make the authentication
Follow the redirect, and get the JSESSION_ID cookie
Then use the cookie to make the API call"

[rdenarie]

It is not mandatory to make click by a user.
I dont know exactly which tool you use to make API call, but your tool can make different requests :

• first request is the login request. In the response you read the cookie
• second request use the cookie, then call the API you want.

[queza85]

I developed spring boot application.
If I use this, how can I make first request in back-end side? I understood this is done on UI side by the user, doesn't it?

[rdenarie]

When you make a login in your browser, and observ with developer tool the network tab, you will see the login request, which is a POST. So you can reproduce this request with your spring boot app.

[queza85]

ah. I see.
I will try to catch when I make a login in the keycloak.

[paljitender]

@rdenarie,

Getting 401 unauthorize while fetching the spaces data based on the ID

using Following info:

URL :- http://localhost:8080/rest/private/v1/social/spaces/gdp

Adding the screen shot below;

[rdenarie]

What is 'gdp' ? is it a space Name ?

Do request /rest/private/v1/social/spaces is working ?

[Chiranjeevi-d]

If the user login through openId then how he can access the exo platfrom api's. Is there any other way of login is supported other than Basic authentication.

[rdenarie]

Hi,
To call directly eXo API, with only one request, there is only BASIC auth currently.

If you want to use openId, you will need to reproduce the sequence of requests done in a browser, by storing and reusing cookies between requests.

[Chiranjeevi-d]

Could you plz share any supportive document how to this. Actually we have an application authentication is done through ad  with the same credentials need login into exo platform is it possible. Chiranjeevi D

…

---- On Mon, 19 Aug 2024 13:24:22 +0530 ***@***.*** wrote ---- Hi, To call directly eXo API, with only one request, there is only BASIC auth currently. If you want to use openId, you will need to reproduce the sequence of requests done in a browser, by storing and reusing cookies between requests. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

[Chiranjeevi-d]

Could you plz share any supportive document how to do this.        Actually we have an application, authentication is done through  microsoft ad  with the same credentials need login into exo platform is it possible to do this  Chiranjeevi D

…

---- On Mon, 19 Aug 2024 13:24:22 +0530 ***@***.*** wrote ---- Hi, To call directly eXo API, with only one request, there is only BASIC auth currently. If you want to use openId, you will need to reproduce the sequence of requests done in a browser, by storing and reusing cookies between requests. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

[rdenarie]

I have not documentation about that.
It is an integration subject.

You need to analyze requests done during a login process in a browser (use browser dev tool).
Then reproduce theses requests in a programatical manner to replay the login processus.

[Chiranjeevi-d]

Thanks for your support !!! Chiranjeevi D

…

---- On Mon, 19 Aug 2024 13:39:26 +0530 ***@***.*** wrote ---- I have not documentation about that. It is an integration subject. You need to analyze requests done during a login process in a browser (use browser dev tool). Then reproduce theses requests in a programatical manner to replay the login processus. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.